- Printed voting receipt- All code open source, all architecture fully documented and publicly available- No person-vote information recorded in database (database lists people as "voted" or "not voted", as soon as person enters a vote it changes to "voted" and won't allow another vote, while a separate database increments a counter for a particular candidate. These two databases are NOT linked together.- No timestamps to ensure manual matchmaking between people and votes are not possible.

Ah hell. I could come up with lots of other reasonable suggestions, but its not like any of this will ever be implemented.

There will be too many people with these receipts to safely assume that no one will crack it. Cracking most stuff is damn near impossible, but when you're talking about double-digit percentage of the populous with the will to discover the key, I'm pretty sure they'll come up with something. You don't need more than about 1-10 people that happen to have access to a university supercomputer and are willing to legitimately or illegitamately use it to brute force the key.

Receipt is a great idea.For one, you could get a discount on your union dues with a Democrat on your voter receipt.Or you could use it to secure your job (since your boss won't fire you if he can see you voted Republican).Or you could sell it to the highest bidder: exchage your Billary/Osama receipt for a $20 gift card (for example). Buying votes otherwise is a real pain: people take your money but can still vote for the other guy if you don't watch them.

Your second option is not possible (as stated) unless the database links individual people to individual votes, which in turn violates ballot secrecy (with traditional voting, when you enter a ballot, you don't write your name on it, and while the auditor can count the number of votes, they can never know who voted for them).The digital voting controls should be similar to traditional voting (count how many people entered/left and compare to number of votes), but NEVER record the voters identity on the ball

um with the 1930 electonric voting machines you could do both of those with out comprimising data personal data.

It means the voter doesn't log into the voting booth. the voter should only walk up to the both press a few buttons get a confirmation receipt and then stick said receipt in another box. The voting machine then is reset for another voter.

Electronic voting should only make counting faster not a complex database system that records everything about the voter.

Indeed a regular computer system is a waste in such a case. no more than powerful than the newton, or early palm is needed, no full oS is needed. the least complex the better.

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed.

Why do you need to print a voting receipt then? If the voter isn't going to take anything with them (not a good idea anyway), and they're going to leave something behind, then the ballot is the voting "receipt".

The only valid reason for checking peoples' IDs at the voting place is try and make sure that each person is eligible to vote, and gets one and only one ballot. Beyond that, there is no reason to keep track of any voter's ID.

No, the receipt should be the ballot, not the other way around. One machine is meant to help the voter produce a human and machine readable vote, the voter can check the produced ballot unassisted and decide whether or not to submit it.

You don't want a ballot that has a separated human and machine-readable codes. The counting machines (if you use them) should be capable of reading the same part of the ballot that the human reads, and vice versa, so there's as little ambiguity as possible between what the machines are looking at, and what the humans are looking at.Of course, if the essential information is human readable, then you don't need machines to do any counting either - all of the old, time-tested procedures for vote-counting paper

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed.

I'm looking forward to checking this out when I get in to work, I just finished writing a SQL Server/ASP vote tally/display system for our municipal election next week. I'm hoping that my boss and higher-ups will let me put the code on SourceForge, it's moderately sweet with only three tables: everything is done through queries and two stored procedures.

A printed receipt that you drop in a box after visual verification sounds great.

In practice I wonder how that would work for elections where you vote for many different items. I just finished voting on a bunch of proposed constitutional changes on an electronic voting machine in Texas. Even the final verification screen was pretty useless unless you had a reference sheet to compare against. It was just a long list of Prop #1 - No, Prop #2 - Yes,... Prop #666 - Yes, etc. and no descriptions of individual i

Even if all the above were in place, and you could come up with the perfect system to run on voting machines, and make it decentralized, etc, etc. How would you know that what was in the source code is what's running on the machine?If you can't see what's going on in the machine, when you cast your vote, you can't be sure of anything. Elections and voting are too important to leave up to these machines, which are too easy to tamper with, by a very small number of people. It only takes one guy in the right p

The FAQ makes me believe these standards are essentially useless. No source code, no independent verification (the voting machine manufacturer pays its choice of testing lab), and most importantly, no mandate to adopt these rules for any election.

Where does this fear of opening source code come from? Is there really a concern that some competing software vendor will copy their "tally up the votes" routine. I can see why banks and private companies want closed source, but why here?

The only answer I can see is that the machines are badly programmed or they have been rigged in some way.

In response to your question, "Is there really a concern that some competing software vendor will copy their 'tally up the votes' routine", we here at Diebold take great pride in the quality of our product. Our "tally up the votes"TM routine is a prized trade secret developed through extensive research and experimentation. If our competitors could simply copy our unique technique for counting votes they could develop the same product without incurring the significant costs of researching how to count.

I'm sure you can appreciate the sensitive technical know-how at the core of our product. Only a few vendors have discovered the secret to counting votes. If this knowledge became public anyone could count see how we count votes which would take away our incentive to create a much valued product which serves to protect democracy.

The future of voting needs to be open with pen and paper. If you hide the process away you have lost what you are voting for already so what is the point in voting. Modern democracy needs and option to say "i don't agree with the voting system" when voting. Kind of like a "none of the above" option where if that option wins new people are encouraged to stand.I live in the UK i have been British all my life. My Vote does not count in this country for the people who run this country !. Many people are not awa

Its more likely to be a fear of people not contributing.They could find flaws and then exploit them at the next election to make their candidate automatically win.

Of course its nonsense,If it went through a standard *nix development cycle with alphas, betas and release candidates along with a x86 compatible testing program and allowing (audited) patches then it would be very secure.Many people (especially conspiracy nuts) would be reading over the code.

Access to the source of the code running on your own PC is an excellent thing. It lets you modify it, confirm that it does only what it claims to do, find and fix bugs, and so on.

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affe

The machine could have hardware that computes a cryptographic hash on the data on disk and displays it on the front of the machine. That can be circumvented, but it would be much more difficult. Having the source code (to the whole system) you can compile according to prepared instructions and compute your own checksum to verify they are the same.

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affecting the correct operation of the code.

Amen to that. I worked for a temp firm for a contractor to ES&S when they were prepping the code for audit by a 3rd party under the previous version of the voting machine audit standards. The code needed major cleanup to comply with the coding standards (for readability), and we were in a time crunch, so everyone dropped what he was doing and worked on sanitizing the iVotronic code. After it was done, we had beautiful code. All variables were declared at the top of functions and names that made sense. No more globals. Functions had meaningful names and headers describing purpose, input, output, method, etc., etc., etc. We sent that software off to be audited for use in US elections. Of course, that code was never compiled. And it never made it back into the production s/w vault.

With closed source you really don't know whats going on changes can be done and you have no clue.On an open source system, technical professionals, besides average joes, will be able to examine and validate the integrity of the code. To verify it has not been tampered with authorities would compile the public source, get a checksum on the binaries, then compare that to what is installed on the machines, if there is a difference they replace the invalid binaries with the verified.

Has anyone else noticed that more money and time and effort has been spent trying to make and use good, fair, electronic voting machines than it would have taken to just keep using paper ballots and have them counted like usual? Isn't the point to save money and time and make it more efficient? I think another point was to make elections less riggable and more accurate but Diebold killed that dumb idea behind a long time ago lol.

That's my thought. Just take a look at the testing section and it's clear that A) these tests will still let problems slip through, and B) all the effort involved in an electronic version of a piece of paper and pencil is not worth it. Similar effort is put out on electronic financial systems because it's worth the benefits it gives. Electronic voting is probably the best example of technology looking for a problem to solve, and failing that, inventing a problem.

The main advantages of using voting machines is that they can be used to print out a nice, clean ballot which can be easily counted (no misaligned filling-out of ovals or odd marks, don't worry about #2 pencils or color of pens, no hanging chads, the ballot contains only the selected choices so no "they really meant this choice!" type of counting, etc).

They're also good at providing alternative interfaces for the disabled (sound or braille) while still printing out a nice, clean ballot.

The only reason for COUNTING machines is for speed though, and since there's no easy way to make sure the counting machines haven't been compromised, we shouldn't depend on them at ALL except maybe for "preliminary results". For the final official result, we should still stick to the hand counting votes (especially if we have nice, clean, easily-readable ballots).

You missed another advantage. Since the printed ballot is in a consistent (and preferably standard) format, those votes can be optically counted by a tallying machine built by a completely different vendor. If the preliminary count and independent OCR count agree within some agreed margin (we'll allow for misreading a vote or two per million, OCR isn't perfect). Then we can have a final, trustworthy election result within minutes of the closing of the polls. Accurate, trustworthy, _and_ fast. Wouldn't that be nice!

There shouldn't be any errors at all if the votes were printed out by a computer...You should print the ballot on a machine, verify that it really did vote for what you wanted, and then put it in a ballot box.

I did actually mention counting machines in my post, with the assumption that they were using OCR to read the same ballot results that the human used to verify that their ballot was correct, plus the ballot design & fonts were designed to be easily OCRed with high accuracy.As I mentioned, however, the only reason for using a machine to do the counting is speed. As long as you're using a "black box" for counting, it becomes very, very difficult to be sure that the votes are being counted the way you inte

"Classic" voting (aka paper ballot in cardboard box) has many, many problems. We just had elections, and I waited in line for 2:30 hours to vote. A big part of that time was devoted to wondering why the fuck don't they use some sort of electronic system for this.

Some problems that are typical with regular elections:- missing ballots for a given party make the thing go slooow- you waste time finding ballots when there are many options (most countries don't have a two-party thing going on but instead have tens of partys)- long time to cut ballots when you have elections for more than a single position (say, president and senators) - this factor also favors "block voting" for a party- the signed-envelope system has loopholes that allow people to buy votes anyway- you need people to supervise the whole thing, and no one wants to volunteer- the whole process is so troublesome and complicated that people just want to get it done instead of actually thinking about the election they are making

Of course, the electronic counterpart isn't easy to build. But it could be better, it's not really that hard. You need an easy consistent interface, solid machines that won't be easy to break, and some kind of receipt showing that you voted. That's it.

Sounds like the problem is with your country's implementation of paper ballots, and not the general idea itself. Here in Canada, voting takes maybe half an hour at most. You show up, verify your identity, get your ballot, go behind a screen and put an X in the circle next to the candidate, fold it up, hand it to the person working the box, watch them place the ballot in the box, go home.

To supervise the whole thing, we require people from multiple parties to be present at the polling station. It's hard to fiddle with something when it has to be verified by two (or more) opposing people at the same time.

I don't understand your references to multiple ballots. Is each party on a separate ballot or something? Why in the world would it be done like that?

That's what I was thinking. They must be doing something wrong. Using machines doesn't make the voting process any faster. The only way to move the line along faster would be to have more polling stations. Just as a reference point to any Americans, the average Canadian polling station only handles 352 people [www.cbc.ca]. The voting moves along rather quickly. And although it is possible to use ballot stuffing to rig the vote, it is very hard to do that for a large scale election, because the number of boxes you

Here in the UK, it takes no more than a couple of minutes. You turn up to find a mostly empty hall, because no-one has bothered turning out to vote. You spend 30 seconds or so wondering why you've bothered, since all of the candidates are lying bastards anyway, and their policies are broadly the same as everyone else's. Then you put a cross in a box next to the name of some guy who has no chance of being elected anyway, and you piss off home again, with a nice warm glow inside from having participated in t

Walk into polling centre (these are set up in schools and community halls and are likely less than a mile from your house), pick up piece of paper, go to a booth, put your mark in the box next to a name (With a big sign up saying if you miss the box or mark two you're not going to be counted), put it in the ballot box.Punch cards, machines, everything else, just unnecessary. I never understood the whole situation in the US where you have people queueing and some unable to vote due to being in line too long.

There have been many stories on Slashdot about electronic voting, and I can recall at least one which detailed a polling station where nobody could vote for three hours because the electronic voting machines didn't work, and/or there was nobody on site who could get the to work.

I don't see any of the problems you list about paper ballots that can't also happen with electronic voting.

Several generations of my family have worked for Diebold. They're a fixture in the community of Canton, Ohio. They're really good at physical security. Hell. They make most of the bank vaults and ATMs that you see.

But when it comes to voting machines, the only thing that separates the voting machines from their other products is strong bias. Tamper with an ATM at the factory, sure some FDIC bank will lose a few thousand dollars but the one doing the tampering gains nothing. Tampering with a voting machine, the perpetrator stands to influence an election in ways they see fit.

Many banks don't even own the ATM's. They're often owned by 3rd parties who then charge the banks service fees.The main difference is that the ATM is there for convenience. They're everywhere and can fit in places that banks can't. They also are available 24/7. Meanwhile, voting machines are much less convenient than absentee ballots, as you have to go to the voting precinct, rather than having them sent to you, resulting in you being able to fill them out anywhere and deposit in those seemingly ubiquit

Diebold ATMs are new to Australia though we seem to be getting the latest all singing dancing 'make it harder to do you banking' models that match web 2.0. Comically enough the other week I was thinking about the joke every one had here when they switched to windows for their OS tasks a good few months back. About three days later I walked past one that had a lovely blue screen of death just happily sitting there; I honestly have never fallen over laughing in my life before, let alone in the middle of a b

Yes, indeed, I heartily agree. I had a good laugh and would mod you funny too. Not meaning to burst the happy bubble, but such foreknowledge has a darker side too.It's not so "comforting" to know that regardless of which candidate or party Diebold selects, we can all rest assured in foreknowledge that the USA will: continue the genocidal punishment of the Cubans and equally genocidal elimination of the Palestinian people, ignore preventable humanitarian crises in favor of reinforcing corporate hegemony over

Too bad neither of the "major" political parties has the country's interests at heart, or we would have real, open standards for the machines themselves, and not just a voluntary fucking testing process.

No, it's not misleading at all. It says the "standards are open to public", which doesn't have to imply source code. If, for example, the standard is to do all counting with a paper ballot, does it matter if the source code for the computer which generates the paper ballot is open (as long as the paper ballot is verifiable by the voter)?

...When you can simply bombard the numb populace with expensive television advertising, purchase stories in the "news entertainment media," bribe them by appealing to their greedy special interests, and manipulate them through churches and synagogues?

They don't have to hack the voting machines. They've already hacked the voters. Just as Plato predicted they would!

Well, if you want a particular government in and they're 10% behind, your voter hacking might bring them within 5%, which is about the margin by which you could rig the voting process.
I mean, if you relied solely on hacking voting machines, then your election outcomes would be so different from the polls, so regularly, that people would suspect that the hacking is taking place.
This way, you get only slight irregularities, and surer outcomes.
Of course having a USA PATRIOT act that, effectively allows t

Of course having a USA PATRIOT act that, effectively allows the electoral college to seize ballot boxes, without scrutiny or explanation, helps a real lot.

This is the first I'm hearing about anything in the USA PATRIOT act that has anything to do with the Electoral College. Would you have any links to a fuller explanation of these added powers you seem to think the College has been given?

For those of you who have wanted voter-verifiable paper records, the new VVSG says:

Software independence means that an undetected error or fault in the voting system's software is not capable of causing an undetectable change in election results. All voting systems must be software independent in order to conform to the VVSG.

See section 2.4 [eac.gov] for a discussion of "software independence." The draft guidelines present "independent voter-verifiable records" (IVVR) as one method of achieving "software independence," though it leaves the door open for other innovative ways of achieving the same goal (such as end-to-end cryptographic verification).

I definitely recommend reading the guidelines. There's a lot of stuff in there.

Now for the subjective part of my comment. The concept of "software independence" is a laudable goal -- and achieving "software independence" as defined in the guidelines is certainly an improvement. Voting systems that fail to meet the guidelines' definition of "software independence" deserve little confidence, given what we know about bugs and complexity in software.

My problem with the term "software independence" is that it is misnamed. The guidelines give a definition of "software independence" th

I definitely recommend reading the guidelines. There's a lot of stuff in there.

Yes, and I suggest reading the FAQ, too:

"Q: Will the source code be available to the public?
A: No. The EAC will make all information available to the public consistent with Federal law. The EAC is prohibited under the Trade Secrets Act (18 U.S.C. 1905) from making the source code information available to the public.

This is a bad idea. A much better idea is this: "No voting machine shall be certified unless the vendor ma

Scantron and a #2 pencil.It doesn't even need to be modified. Actually, it should be in the guidelines that it is encased in a solid unbreakable enclosure and not have any custom software, the same scantron software they use in high schools.Maybe a second system to check who has voted and to prevent doubles (not connected to the scantron machine in any way)

#2 pencil, boxes marked "check here", and manual counting overseen by reps from both parties when the boxes are opened. Simple. Unhackable by external third parties. Infinitely auditable. Cheap, 'cause the monitors work for free.Scantrons can be hacked as well. The false assumption is that the manufacturer is pure of heart. They ain't.

Canada uses the #2 pencil and paper system, and they finish national elections in hours. With no room for cheating. And they can do recounts. Easily. There is no reason, NONE,

Diebold didn't fail. They did precisely what they wanted to do. Deliver a compromised system that could deliver the votes to the Republican party without too much fuss. They stonewalled every investigation, and got away clean. We can hold a politician to account, you see, but corporations are designed to be a fog impervious to criminal charges.

I worked on the old mechanical voting machines in the early 90s. They were hard programed for with little keys that controlled the voting levers for each question. At the end, a giant summary sheet was printed out and totals were hand checked against number of people who voted and totals on the summary sheet. After the election was certified the machines had all the keys removed.So how freaking hard is it to burn one PROM with the questions/canadates names to be displayed on the screen and a second PROM

You've actually come up with the answer without stating it explicity: Keep using mechanical voting machines! With levers! We have these in NY, and they are freaking solid as heck, and don't require electricity, near as I can tell. No power outages to worry about. No mass-scale software editing to mess things up (being realistic, this could be more likely to happen as a result of bug or error than someone trying to fix the election.Adding complexity to a functioning system only benefits the producers of

So how freaking hard is it to burn one PROM with the questions/canadates names to be displayed on the screen and a second PROM to contain the "Voting Control Keys"?

You're suggestions mitigate tampering by a 3rd party, but don't necessarily prevent fraud on the part of the manufacturer. This is a concern to many in the US, due to ties between the DVR makers and politicians. E.g. Diebold with the Republic Party and ES&S with (former) US Senator Exon, just to name some of the known associations.

Wouldn't it be better to start with an open standard around the election process for information exchange and the like? This Already Exists [oasis-open.org] and is "recommended" by the US Government. Why only recommended? Surely this exactly the sort of thing that should be enforced as a basic requirement. Its not like the US Government could claim "we can't enforce that standard as vendors might not want to use it" its the US frigging Government legislate is what they do.

So a good start on the standards but it would be good to see compulsion come in.

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

The reason that's not a requirement is that if the other requirements are defined correctly, access to the source code is irrelevant. If the other requirements are not defined correctly, access to the source code is also irrelevant, because there's no practical way to be sure what code is actually running on the voting machines.

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how mali

No -- a voter-verifiable paper trail, while useful, does not make source code irrelevant.Voter-verifiable records only help ensure that votes are counted as recorded. They don't fully address problems that occur before the votes are recorded: votes can still be recorded incorrectly due to ballot presentation errors, or never recorded at all due to software failures.

Think of an election as a scientific measurement. In order to get an accurate result, the polling mechanism has to be free of bias. If the so

Perhaps you're understanding something different than I mean when I say "voter-verifiable paper trail".

What I mean is that the voting machine's sole purpose is to print out a paper ballot. That ballot is the real vote, and it is easily human readable and verifiable. The voter can, and should, verify that the printed ballot correctly represents their selected choices. If a voting machine generates ballots that disagree with the user's selections (i.e. system error, not user error), then the system shoul

Yes, but I thought my response to it was implicit in my response to the rest.

If the software crashes more often in one district than another, or sometimes skips contests, or fails to display certain candidates, that's going to bias your result.

Don't you think that would influence an election?

Don't you think those behaviors would be noticed? I certainly do, especially if the printed ballot showed all races, even those the voter didn't state a preference on. The hardest-to-detect of the behaviors you mention is crashing, but even that one would be fairly obvious to anyone bothering to look.

It's also worth noting that the punchscan system addresses these concerns very effectively, and does not require open source

I notice, though, that you completely ignored my point that source inspection is useless. Twice. Why is that?

Let's go back a bit to clear up what we're discussing. You made a number of points in your first comment. I chose to address just one of them because I didn't have the time to engage in multiple debates with you simultaneously. But I'll explain my thoughts more fully now so you can understand where I'm coming from.

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how malicious the software.... A voter-verifiable paper trail accomplishes this rather easily.

I don't think it's all that easy.

Based on what you're written ("The mechanism has to be free of *undetectable* bias." and "Don't you think those behaviors would be noticed?"), I suspect you are making the assumption that detectability

How, then, do you ensure that the code that you vetted is actually running on the machines?

The short answer: chain of custody.

Like any other piece of election equipment, the voting machines have to be physically protected from the time they are configured to the time they are used. The same holds true for mechanical voting machines, paper ballots, electronic pollbooks, and so on.

I'm not saying that current procedures for this are adequate -- far from it. Obviously if you leave the machines for unatt

This is utter silliness. So what if you review the code? So what if there are "open standards"? The code you review can be swapped out on election day any number of ways! I mean, you are all programmers, mostly. How can you possibly fall for this? And there is code on the point of voting, code at the accumulators boxen, running Windows may I add, code at HQ adding up the accumulators' totals. It's the work of a morons's minute to swap out vote totals, or change the code at the point of voting to simply flip the voter's choice undetectably -- printing out a "receipt" that is worthless as record of what actually happened. The code can be changed and then replaced instantly. Or more likely, why bother? Who the hell can tell what code is really running on the box? The problem here is you all have a religious belief that when you ask a computer a question, you'll get an honest answer. But these are dedicated boxen, controlled by humans who are extremely motivated to alter the results. You can't beat them. You can only remove the means. No computers system should ever come near an election.

Canada does (did? sigh) vote using a manual process with real time oversight by suspicious characters from both parties present -- you know, the process we decided was mad in Florida in 2000. Somehow they finish up their elections in hours. Although, really, what the hell is the hurry to finish an election? Why not take a week? Someone REALLY wants to alter those votes. They want it quick, unmonitored, and completely open to tampering, and somehow this is the Only Way To Do It?

This idiocy wouldn't stand if we didn't have Kourictainment for a news media... god.

Canada does (did? sigh) vote using a manual process with real time oversight by suspicious characters from both parties present -- you know, the process we decided was mad in Florida in 2000. Somehow they finish up their elections in hours.

The reason they can count quickly is that they have so little to count. I don't mean in terms of number of ballots, I mean in terms of ballot complexity. A US ballot often has upwards of thirty or forty separate decisions recorded on it, because it combines federal, state and local elections, and because the US system votes on many offices that are appointed in Canada (and elsewhere).

Personally, I wouldn't mind waiting a few days for the outcome, but for some reason Americans don't even want to wait u

We use paper here in Minnesota, and the ballots are scanned with an optical scanner. It's pretty damn easy, on the ballot are two arrows next to the name and you draw a line between them if you want that selection.The amazing thing is you can still vote if the power goes out.

It's highly scalable, as voting station tables are cheap and easy to store and setup. you can have a two dozen of them at a polling station for not much money.

The optical scanner is there to count ballots. But they can be counted by

i totally agree. the only downfall is the waste of paper. compare that to the power requirements for totally electronic voting and it's probably a wash.
in the future, we'll all be able to vote online somehow.

there is no need for computer technology to be incorporated into voting. in fact, it unnecessarily opens the system to fraud. ANY database solution is inherently open to corruption on a massive scale without the ability to audit the results. people (around the globe) have been casting votes for hundreds of years without the need of a black box intermediary.
in america, as most places there are plenty of volunteers who will monitor polling stations and tally the ballots. should staffing ever become a problem

It assumes the voting system is based on the "VOTING MACHINE" and not the algorithm's and network.The assumption is that voting is based on the "VOTING MACHINE", but this isn't always the case.So any system fitting there template must rely heavily on "SECURE VOTING MACHINE HARDWARE" and looks at physical Security totally over looking the network and electronic security.

My largest single concern is the possibility of a clever software trick that could alter larger numbers of votes in mass using some automate